If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

ATTENTION: Windows 10 users

Beta 2 build is now available!

If you just upgraded to Windows 10 or running build 10240 or greater of Win 10 pre-release you will need to download and install the new version of ZoneAlarm 14.0.157.000

Suscpected false positves during "deep-inspection" scan.

When I do a &quot;deep-inspection&quot; spyware scan with ZAX (298) I get three hits recommending that files be &quot;Quarantined.&quot;
I'm pretty sure these are false positives based on
other reports (on both ZA and other security forums) talking about these same or similar
alerts being false-positives.
It also appears that if I let ZA Quarantine these files, it will break the functioning of some legitimate programs.
Here is some of the info from the scan:
Win32.Trojan.RbotFile: C:\Program Files\NVIDIA Corporation\NVIDIA PhysX\Demos\Fluids\glut32.dll
RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\MCD
Win32.Trojan.Clicker.Small.isFile: D:\...\2k9win32\awkeygen.exe
Power SpyFile: C:\Documents and Settings\All Users\Start Menu\Programs\Orban\AAC-aacPlus Plugin\Uninstall AAC-aacPlus Plugin.lnk
File: C:\Program Files\Orban\AAC-aacPlus Plugin\unins000.exe
File: C:\System Volume Information\_restore{2D742486...}\...\A0052675.exe
As I said, I 'think' these are false positives, but how
can I confirm
this?
I've read about people sending in files to have false positives confirmed -- does ZA have such a service?
I did send in
the normal ZA
tech support form, but I don't know if there is a better way to get help with this.
It might also be important to note that for verification, I scanned the same files with SuperAntiSpyware (with latest updates) and received no alerts.
Thanks,
Larry

Re: Suscpected false positves during "deep-inspection" scan.

Re: Suspected false positves during "deep-inspection" scan.

Thanks.
It's definitely the &quot;spyware&quot; scan and NOT the &quot;anti-virus&quot; scan that is giving me the alerts.
I already
filled out and sent
in
the ZA form linked in that post, but since the form has no provision for
uploads, I was unable to send them the actual files themselves.

Without the files, I don't see how ZA could 1) verify whether or not these are false positives, or 2) fix the issue if they are in fact false positives, so I assume that ZA will ask for me to email the files to them in a followup email response.
I'll post back with any information I get.
On this subject, I read on
this forum about
a site called virustotal.com, where you can send in files with potential infections for analysis by 39 engines.
I sent in all the files in question (4 files total)
and I'm interested in
getting feedback and opinions
from ZA users on the results and the way I'm interpreting them.
The virustotal results were all negative (0/39)
except for a 1/39 report on one of them.
In other words,
on this one file, of the 39 engines that virustotal.com uses, ONE of them saw the file as having an infection.
It was &quot;esafe 7.0.17.0&quot; that saw an infection in this file, which it listed as &quot;Win32.SusKeygen.a (ZAX lists it as &quot;Win32.Trojan.Clicker.Small.is&quot; instead.)
Given this, my interpretation at this point would be to assume that all the alerts were indeed false positives, including the file that had the &quot;1/39&quot; result since with this many negatives, it seems far more likely that the single hit (or &quot;double&quot; hit if you could ZAX) would be a false positive.
My question is:
Does
this seem like sound thinking?
My thinking is that if I let ZAX quarantine these files, it will break the functionality of the programs in question, which I'd obviously like to avoid if the threat is not real.
Assuming I'm properly interpreting the results, they would
seem to indicate that the threat is not real, so I'm interested to hear if people think I'm properly interpreting the results.
Thanks for any feedback,
Larry

Re: Suspected false positves during "deep-inspection" scan.

Hi!no need to post here, you know already perfectly how to proceed including the use of virustotal.Any security tool is subject to false positive, its normal.Youjust need to report it tothe producer as already suggested. <BLOCKQUOTE><HR>lalittle wrote:
Win32.Trojan.Clicker.Small.isFile: D:\...\2k9win32\awkeygen.exe<HR></BLOCKQUOTE>...and this one is a keygenerator to register Maya, sounds not really legalAlso note that 'deep inspection' is prone to false positive and it is not recommended for normal scan but only in case of malware.Cheers,Fax

Re: Suspected false positves during "deep-inspection" scan.

<blockquote><hr>fax wrote:
Hi!no need to post here, you know already perfectly how to proceed including the use of virustotal.
<hr></blockquote>Actually, I really
don't feel like I know how to proceed since I'm not sure how to act on all the pieces of information.
My &quot;feeling&quot; is that
four 0/39 results and one 1/39 result would clearly point to false positives, and hence that I can assume that ZAX is also giving me
false positives on these files, but with my limited experience in this field, and therefore with no
point of reference, I honestly don't know if this is a safe assumption or not.
This is why I'm
very interested in hearing other opinions on this subject -- i.e. given all the information I've provided so far, what would the &quot;experts&quot; do?
My hope in starting this thread is to get feedback from
the ZA community
on the actions I'm taking in the wake of these specific ZAX alerts.
<blockquote><hr>fax wrote:
Any security tool is subject to false positive, its normal.You
just need to report it to
the producer as already suggested. :8}<hr></blockquote>Unfortunately, ZA does not appear to have a means (that I could find) of directly submitting
files for &quot;spyware&quot; analysis like I could do with &quot;virus&quot; (i.e. Kaspersky) alerts.

For spyware hits I'm only able to send in a ts form, so at this point I'm hoping they'll reply with a request to send them the files in question.
I have no idea, however, if this is how the process works, so (once again) feedback from other users could still be quite helpful.
Thanks,
Larry

Re: Suspected false positves during "deep-inspection" scan.

<blockquote><hr>fax wrote:
Hi!Uuuhm, look like I was not enough clear
You have to contact ZA technical support, they are the only ones that can instruct you on how to proceed.
Cheers,Fax
<hr></blockquote>Already done -- I'm just waiting to hear back from them.
In the mean time, I'm still interested in any feedback/discussion
from the ZA community on this subject given the info I posted above.

By getting opinions from other people
on
the decisions I've made and the information I've obtained so far, I hope to be able to make more informed decisions when running into this type of situation in the future.
I'll post back with any information I obtain from ZA on this.
Thanks again,
Larry

Re: Suspected false positves during "deep-inspection" scan.

Hi!already gave mine... that is:- Do not run deep inspection, its prone to false positives (unless you are infected)- Use Virustotal to check for false positive- Report to manufacturerand by the way, this has been posted many times before no need to re-discuss. Also note that this board is not a discussion forum. We deal with ZA product support issues not about how the ZA community reacts to issues.Cheers,Fax

Re: Suspected false positives during "deep-inspection" scan.

<blockquote><hr>GeorgeV wrote:Unfortunately, it seems that LaLittle is Regressing back into his old habit of Hi-Jacking other Users request for Help.. and trying to use this forum as a Chat/discussion forum..
(sigh)
<hr></blockquote>Before any action is taken, please help me to understand where I misstepped so I can
rectify the situation.

I'm honestly trying REALLY hard to never hijack any threads, so if this happened it was a misunderstanding and I apologize.
My posts to other user's threads have been sincere attempts to help.
I'm
perfectly willing to
alter my posting habits appropriately in order to stay within the guidelines and intent of this forum,
but I sincerely don't know where I hi-jacked a thread.

I'm the starter of
this thread we're in, so I assume you're referring to a different thread, but I'm not sure which one.
I've been posting a lot lately because I just upgraded from ZASS 7 to ZAX 8 and there is a lot of new stuff that I'm trying to get a better understanding of.
I've also been trying to &quot;give back&quot; by trying to help other users in situations where I've run into the same issues -- I've shared my experiences in the hope that it might help them solve the problem.
The bottom line is that I'm asking for help and guidance here.

I would very much like to remain a contributor/user of this forum, so please help me out to understand where I hijacked any threads so I can fix the situation.
Thanks,
Larry